First, don’t feel too bad — phishing attempts are getting very, very sophisticated. I haven’t fallen for one yet, but I’ve come darned close a time or two.
But be prepared for a painful recovery if the phishing was successful.
How to tell if you’ve been phished depends on where in the process you are: looking at an email, after clicking a link in the email or other source, or some time thereafter.
What to do after that depends on what information you gave in response to the phishing attempt.
Become a Patron of Ask Leo! and go ad-free!
In my article, Phishing: How to Know it When You See It, I discuss how to identify potential phishing attempts.
The rule of thumb is to never click on a link in email unless you’re positive it’s safe. Go to the site yourself (by typing the URL into your browser or using a bookmark you’ve saved previously) and log into your account by hand.
If you want more clues as to whether or not an email is a phishing attempt, look carefully at the link you’ve been sent. For example, this link:
does not take you to eBay. You can tell before clicking on it, since most email programs and web browsers allow you to hover your mouse pointer over the link and show you, either as a tool tip or in the status bar, where the link really goes.
When you look at where the link really goes, ensure that:
- The destination matches what you expect. Exactly. If the link claims to be eBay, it should be for eBay.com. Targets like http://ebay.com.hacker.com, http://ebay.signin.services.ru, http://www.ebay.cc (note that it’s not “.com”) are all attempts to deceive you.
- The destination is a name, not a number. If the destination of the link takes you to a link that has numbers, such as http://18.104.22.168, it’s probably not valid, and definitely not worth the risk.
- The destination is secure. That means it should begin with https:. If the target destination begins with the regular, unsecured, http: (without the “s”), chances are it’s not legitimate.
If you’re at all uncertain, skip the link and just go to the service yourself, manually.
OK, you clicked. By mistake, but you clicked. And it looks totally legitimate. How can you be sure? There are several tests:
- All the tests for the link before you clicked it now apply to whatever you see in the address bar as the URL of the page you landed on. If it’s not what you expect — if it’s a number, if it’s not https secure — chances are it’s bogus. If you click on my example eBay link above, this is what you’ll see in your address bar:
Needless to say, that’s not eBay. Don’t continue. (Unless you want to buy me coffee, of course. 🙂 ).
- If your password manager (such as LastPass) usually signs you in automatically for this service and it fails to do so this time, then it didn’t recognize the URL as the legitimate URL. Don’t proceed.
- If the site asks you to “reconfirm” by providing sensitive information like your credit card number, don’t do it. It’s likely bogus. Merchants do not need to update your entire credit card number if they keep it on file and all they need is a new expiration date. Banks never need this information, as they’re the ones that have it to begin with!
- If, after you “log in”, you’re only presented with the information you just provided, it’s very suspicious. Legitimate services typically recognize you and display more details that they already have. If the site doesn’t do something like this, then it’s possible they’re simply trying to collect your information.
If, after you do sign in or provide your information, you get an error message, or a “service temporarily down” message, or nothing at all … it’s likely you’ve been “phished”.
You think you’ve been phished. Now what?
As recommended by the Federal Trade Commission, you may need to do several things.
If you provided credit card or other account information to the phisher, you probably need to close those accounts. You’ll at least want to contact the appropriate customer service department for each and tell them what happened.
You’ll need to contact the consumer credit reporting agencies. This is particularly important if you live in the U.S. and gave up your social security number. This is one way identity theft happens: the successful phishers can open accounts in your name that you know nothing about.
You may want to file a report with the police. This can be an important piece of data to prove you were the victim of identity theft.
The lesson here?
I’m sure you’ve heard stories of how recovering from identity theft can be difficult, painful, and time-consuming.
The real lesson here, the one thing to walk away with, is simply this: prevention is a much easier than recovery. Pay attention, remain skeptical, and avoid the problem in the first place, and you’ll be much, much safer.
There’s an old adage about telephone marketers: never give any information to someone if they called you. Only give information to someone you called. The idea is that you know who you called, and can verify who you’re calling.
The same is true for the internet: never give information to someone who independently asks for it. Only give information in transactions you initiate with sites you know.
When you go to eBay.com and log in to your own account, you know it’s really eBay and that it is your account. But if you get email from someone claiming to be eBay, it simply might not be them.